CVE-2026-23866

Medienbericht

EPSS 0.46%
Veröffentlicht 01.05.2026 16:16:29
Zuletzt bearbeitet 11.05.2026 20:00:28
Quelle cve-assign@fb.com
CVE-Watchlists
Login
Unerledigt
Login

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

WhatsApp ≫ WhatsApp SwPlatformandroid Version >= 2.25.8.0 <= 2.26.7.10

WhatsApp ≫ WhatsApp SwPlatformiphone_os Version >= 2.25.8.0 <= 2.26.15.72

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.367

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve-assign@fb.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-940 Improper Verification of Source of a Communication Channel

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

11.05.2026 16:03

https://www.whatsapp.com/security/advisories/2026

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2026-23866

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-23866

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23866

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23866

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23866